1FIREWALL-CMD(1) firewall-cmd FIREWALL-CMD(1)
2
3
4
6 firewall-cmd - firewalld command line client
7
9 firewall-cmd [OPTIONS...]
10
12 firewall-cmd is the command line client of the firewalld daemon. It
13 provides an interface to manage the runtime and permanent
14 configurations.
15
16 The runtime configuration in firewalld is separated from the permanent
17 configuration. This means that things can get changed in the runtime or
18 permanent configuration.
19
21 Sequence options are the options that can be specified multiple times,
22 the exit code is 0 if there is at least one item that succeeded. The
23 ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16)
24 errors are treated as succeeded. If there are issues while parsing the
25 items, then these are treated as warnings and will not change the
26 result as long as there is a succeeded one. Without any succeeded item,
27 the exit code will depend on the error codes. If there is exactly one
28 error code, then this is used. If there are more than one then
29 UNKNOWN_ERROR (254) will be used.
30
31 The following options are supported:
32
33 General Options
34 -h, --help
35 Prints a short help text and exits.
36
37 -V, --version
38 Print the version string of firewalld. This option is not
39 combinable with other options.
40
41 -q, --quiet
42 Do not print status messages.
43
44 Status Options
45 --state
46 Check whether the firewalld daemon is active (i.e. running).
47 Returns an exit code 0 if it is active, RUNNING_BUT_FAILED if
48 failure occurred on startup, NOT_RUNNING otherwise. See the section
49 called “EXIT CODES”. This will also print the state to STDOUT.
50
51 --reload
52 Reload firewall rules and keep state information. Current permanent
53 configuration will become new runtime configuration, i.e. all
54 runtime only changes done until reload are lost with reload if they
55 have not been also in permanent configuration.
56
57 Note: Runtime changes applied via the direct interface are not
58 affected and will therefore stay in place until firewalld daemon is
59 restarted completely.
60
61 --complete-reload
62 Reload firewall completely, even netfilter kernel modules. This
63 will most likely terminate active connections, because state
64 information is lost. This option should only be used in case of
65 severe firewall problems. For example if there are state
66 information problems that no connection can be established with
67 correct firewall rules.
68
69 Note: Runtime changes applied via the direct interface are not
70 affected and will therefore stay in place until firewalld daemon is
71 restarted completely.
72
73 --runtime-to-permanent
74 Save active runtime configuration and overwrite permanent
75 configuration with it. The way this is supposed to work is that
76 when configuring firewalld you do runtime changes only and once
77 you're happy with the configuration and you tested that it works
78 the way you want, you save the configuration to disk.
79
80 --check-config
81 Run checks on the permanent configuration. This includes XML
82 validity and semantics.
83
84 Log Denied Options
85 --get-log-denied
86 Print the log denied setting.
87
88 --set-log-denied=value
89 Add logging rules right before reject and drop rules in the INPUT,
90 FORWARD and OUTPUT chains for the default rules and also final
91 reject and drop rules in zones for the configured link-layer packet
92 type. The possible values are: all, unicast, broadcast, multicast
93 and off. The default setting is off, which disables the logging.
94
95 This is a runtime and permanent change and will also reload the
96 firewall to be able to add the logging rules.
97
98 Permanent Options
99 --permanent
100 The permanent option --permanent can be used to set options
101 permanently. These changes are not effective immediately, only
102 after service restart/reload or system reboot. Without the
103 --permanent option, a change will only be part of the runtime
104 configuration.
105
106 If you want to make a change in runtime and permanent
107 configuration, use the same call with and without the --permanent
108 option.
109
110 The --permanent option can be optionally added to all options
111 further down where it is supported.
112
113 Zone Options
114 --get-default-zone
115 Print default zone for connections and interfaces.
116
117 --set-default-zone=zone
118 Set default zone for connections and interfaces where no zone has
119 been selected. Setting the default zone changes the zone for the
120 connections or interfaces, that are using the default zone.
121
122 This is a runtime and permanent change.
123
124 --get-active-zones
125 Print currently active zones altogether with interfaces and sources
126 used in these zones. Active zones are zones, that have a binding to
127 an interface or source. The output format is:
128
129 zone1
130 interfaces: interface1 interface2 ..
131 sources: source1 ..
132 zone2
133 interfaces: interface3 ..
134 zone3
135 sources: source2 ..
136
137
138 If there are no interfaces or sources bound to the zone, the
139 corresponding line will be omitted.
140
141 [--permanent] --get-zones
142 Print predefined zones as a space separated list.
143
144 [--permanent] --get-services
145 Print predefined services as a space separated list.
146
147 [--permanent] --get-icmptypes
148 Print predefined icmptypes as a space separated list.
149
150 [--permanent] --get-zone-of-interface=interface
151 Print the name of the zone the interface is bound to or no zone.
152
153 [--permanent] --get-zone-of-source=source[/mask]|MAC|ipset:ipset
154 Print the name of the zone the source is bound to or no zone.
155
156 [--permanent] --info-zone=zone
157 Print information about the zone zone. The output format is:
158
159 zone
160 interfaces: interface1 ..
161 sources: source1 ..
162 services: service1 ..
163 ports: port1 ..
164 protocols: protocol1 ..
165 forward-ports:
166 forward-port1
167 ..
168 source-ports: source-port1 ..
169 icmp-blocks: icmp-type1 ..
170 rich rules:
171 rich-rule1
172 ..
173
174
175
176 [--permanent] --list-all-zones
177 List everything added for or enabled in all zones. The output
178 format is:
179
180 zone1
181 interfaces: interface1 ..
182 sources: source1 ..
183 services: service1 ..
184 ports: port1 ..
185 protocols: protocol1 ..
186 forward-ports:
187 forward-port1
188 ..
189 icmp-blocks: icmp-type1 ..
190 rich rules:
191 rich-rule1
192 ..
193 ..
194
195
196
197 --permanent --new-zone=zone
198 Add a new permanent and empty zone.
199
200 Zone names must be alphanumeric and may additionally include
201 characters: '_' and '-'.
202
203 --permanent --new-zone-from-file=filename [--name=zone]
204 Add a new permanent zone from a prepared zone file with an optional
205 name override.
206
207 --permanent --delete-zone=zone
208 Delete an existing permanent zone.
209
210 --permanent --load-zone-defaults=zone
211 Load zone default settings or report NO_DEFAULTS error.
212
213 --permanent --path-zone=zone
214 Print path of the zone configuration file.
215
216 Policy Options
217 [--permanent] --get-policies
218 Print predefined policies as a space separated list.
219
220 [--permanent] --info-policy=policy
221 Print information about the policy policy.
222
223 [--permanent] --list-all-policies
224 List everything added for or enabled in all policies.
225
226 --permanent --new-policy=policy
227 Add a new permanent policy.
228
229 Policy names must be alphanumeric and may additionally include
230 characters: '_' and '-'.
231
232 --permanent --new-policy-from-file=filename [--name=policy]
233 Add a new permanent policy from a prepared policy file with an
234 optional name override.
235
236 --permanent --path-policy=policy
237 Print path of the policy configuration file.
238
239 --permanent --delete-policy=policy
240 Delete an existing permanent policy.
241
242 --permanent --load-policy-defaults=policy
243 Load the shipped defaults for a policy. Only applies to policies
244 shipped with firewalld. Does not apply to user defined policies.
245
246 Options to Adapt and Query Zones and Policies
247 Options in this section affect only one particular zone or policy. If
248 used with --zone=zone or --policy=policy option, they affect the
249 specified zone or policy. If both options are omitted, they affect the
250 default zone (see --get-default-zone).
251
252 [--permanent] [--zone=zone] [--policy=policy] --list-all
253 List everything added or enabled.
254
255 --permanent [--zone=zone] [--policy=policy] --get-target
256 Get the target.
257
258 --permanent [--zone=zone] [--policy=policy] --set-target=zone
259 Set the target.
260
261 For zones target is one of: default, ACCEPT, DROP, REJECT
262
263 For policies target is one of: CONTINUE, ACCEPT, DROP, REJECT
264
265 default is similar to REJECT, but has special meaning in the
266 following scenarios:
267
268 1. ICMP explicitly allowed
269
270 At the end of the zone's ruleset ICMP packets are explicitly
271 allowed.
272
273 2. forwarded packets follow the target of the egress zone
274
275 In the case of forwarded packets, if the ingress zone uses
276 default then whether or not the packet will be allowed is
277 determined by the egress zone.
278
279 For a forwarded packet that ingresses zoneA and egresses zoneB:
280
281 • if zoneA's target is ACCEPT, DROP, or REJECT then the
282 packet is accepted, dropped, or rejected respectively.
283
284 • if zoneA's target is default, then the packet is accepted,
285 dropped, or rejected based on zoneB's target. If zoneB's
286 target is also default, then the packet will be rejected by
287 firewalld's catchall reject.
288
289 3. Zone drifting from source-based zone to interface-based zone
290
291 This only applies if AllowZoneDrifting is enabled. See
292 firewalld.conf(5).
293
294 If a packet ingresses a source-based zone with a target of
295 default, it may still enter an interface-based zone (including
296 the default zone).
297
298
299 --permanent [--zone=zone] [--policy=policy]
300 --set-description=description
301 Set description.
302
303 --permanent [--zone=zone] [--policy=policy] --get-description
304 Print description.
305
306 --permanent [--zone=zone] [--policy=policy] --set-short=description
307 Set short description.
308
309 --permanent [--zone=zone] [--policy=policy] --get-short
310 Print short description.
311
312 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
313 --list-services
314 List services added as a space separated list.
315
316 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
317 --add-service=service [--timeout=timeval]
318 Add a service. This option can be specified multiple times. If a
319 timeout is supplied, the rule will be active for the specified
320 amount of time and will be removed automatically afterwards.
321 timeval is either a number (of seconds) or number followed by one
322 of characters s (seconds), m (minutes), h (hours), for example 20m
323 or 1h.
324
325 The service is one of the firewalld provided services. To get a
326 list of the supported services, use firewall-cmd --get-services.
327
328 The --timeout option is not combinable with the --permanent option.
329
330 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
331 --remove-service=service
332 Remove a service. This option can be specified multiple times.
333
334 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
335 --query-service=service
336 Return whether service has been added. Returns 0 if true, 1
337 otherwise.
338
339 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
340 --list-ports
341 List ports added as a space separated list. A port is of the form
342 portid[-portid]/protocol, it can be either a port and protocol pair
343 or a port range with a protocol.
344
345 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
346 --add-port=portid[-portid]/protocol [--timeout=timeval]
347 Add the port. This option can be specified multiple times. If a
348 timeout is supplied, the rule will be active for the specified
349 amount of time and will be removed automatically afterwards.
350 timeval is either a number (of seconds) or number followed by one
351 of characters s (seconds), m (minutes), h (hours), for example 20m
352 or 1h.
353
354 The port can either be a single port number or a port range
355 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
356
357 The --timeout option is not combinable with the --permanent option.
358
359 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
360 --remove-port=portid[-portid]/protocol
361 Remove the port. This option can be specified multiple times.
362
363 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
364 --query-port=portid[-portid]/protocol
365 Return whether the port has been added. Returns 0 if true, 1
366 otherwise.
367
368 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
369 --list-protocols
370 List protocols added as a space separated list.
371
372 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
373 --add-protocol=protocol [--timeout=timeval]
374 Add the protocol. This option can be specified multiple times. If a
375 timeout is supplied, the rule will be active for the specified
376 amount of time and will be removed automatically afterwards.
377 timeval is either a number (of seconds) or number followed by one
378 of characters s (seconds), m (minutes), h (hours), for example 20m
379 or 1h.
380
381 The protocol can be any protocol supported by the system. Please
382 have a look at /etc/protocols for supported protocols.
383
384 The --timeout option is not combinable with the --permanent option.
385
386 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
387 --remove-protocol=protocol
388 Remove the protocol. This option can be specified multiple times.
389
390 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
391 --query-protocol=protocol
392 Return whether the protocol has been added. Returns 0 if true, 1
393 otherwise.
394
395 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
396 --list-source-ports
397 List source ports added as a space separated list. A port is of the
398 form portid[-portid]/protocol.
399
400 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
401 --add-source-port=portid[-portid]/protocol [--timeout=timeval]
402 Add the source port. This option can be specified multiple times.
403 If a timeout is supplied, the rule will be active for the specified
404 amount of time and will be removed automatically afterwards.
405 timeval is either a number (of seconds) or number followed by one
406 of characters s (seconds), m (minutes), h (hours), for example 20m
407 or 1h.
408
409 The port can either be a single port number or a port range
410 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
411
412 The --timeout option is not combinable with the --permanent option.
413
414 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
415 --remove-source-port=portid[-portid]/protocol
416 Remove the source port. This option can be specified multiple
417 times.
418
419 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
420 --query-source-port=portid[-portid]/protocol
421 Return whether the source port has been added. Returns 0 if true, 1
422 otherwise.
423
424 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
425 --list-icmp-blocks
426 List Internet Control Message Protocol (ICMP) type blocks added as
427 a space separated list.
428
429 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
430 --add-icmp-block=icmptype [--timeout=timeval]
431 Add an ICMP block for icmptype. This option can be specified
432 multiple times. If a timeout is supplied, the rule will be active
433 for the specified amount of time and will be removed automatically
434 afterwards. timeval is either a number (of seconds) or number
435 followed by one of characters s (seconds), m (minutes), h (hours),
436 for example 20m or 1h.
437
438 The icmptype is the one of the icmp types firewalld supports. To
439 get a listing of supported icmp types: firewall-cmd --get-icmptypes
440
441 The --timeout option is not combinable with the --permanent option.
442
443 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
444 --remove-icmp-block=icmptype
445 Remove the ICMP block for icmptype. This option can be specified
446 multiple times.
447
448 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
449 --query-icmp-block=icmptype
450 Return whether an ICMP block for icmptype has been added. Returns 0
451 if true, 1 otherwise.
452
453 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
454 --list-forward-ports
455 List IPv4 forward ports added as a space separated list.
456
457 For IPv6 forward ports, please use the rich language.
458
459 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
460 --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
461 [--timeout=timeval]
462 Add the IPv4 forward port. This option can be specified multiple
463 times. If a timeout is supplied, the rule will be active for the
464 specified amount of time and will be removed automatically
465 afterwards. timeval is either a number (of seconds) or number
466 followed by one of characters s (seconds), m (minutes), h (hours),
467 for example 20m or 1h.
468
469 The port can either be a single port number portid or a port range
470 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
471 The destination address is a simple IP address.
472
473 The --timeout option is not combinable with the --permanent option.
474
475 For IPv6 forward ports, please use the rich language.
476
477 Note: IP forwarding will be implicitly enabled if toaddr is
478 specified.
479
480 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
481 --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
482 Remove the IPv4 forward port. This option can be specified multiple
483 times.
484
485 For IPv6 forward ports, please use the rich language.
486
487 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
488 --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
489 Return whether the IPv4 forward port has been added. Returns 0 if
490 true, 1 otherwise.
491
492 For IPv6 forward ports, please use the rich language.
493
494 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
495 --add-masquerade [--timeout=timeval]
496 Enable IPv4 masquerade. If a timeout is supplied, masquerading will
497 be active for the specified amount of time. timeval is either a
498 number (of seconds) or number followed by one of characters s
499 (seconds), m (minutes), h (hours), for example 20m or 1h.
500 Masquerading is useful if the machine is a router and machines
501 connected over an interface in another zone should be able to use
502 the first connection.
503
504 The --timeout option is not combinable with the --permanent option.
505
506 For IPv6 masquerading, please use the rich language.
507
508 Note: IP forwarding will be implicitly enabled.
509
510 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
511 --remove-masquerade
512 Disable IPv4 masquerade. If the masquerading was enabled with a
513 timeout, it will be disabled also.
514
515 For IPv6 masquerading, please use the rich language.
516
517 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
518 --query-masquerade
519 Return whether IPv4 masquerading has been enabled. Returns 0 if
520 true, 1 otherwise.
521
522 For IPv6 masquerading, please use the rich language.
523
524 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
525 --list-rich-rules
526 List rich language rules added as a newline separated list.
527
528 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
529 --add-rich-rule='rule' [--timeout=timeval]
530 Add rich language rule 'rule'. This option can be specified
531 multiple times. If a timeout is supplied, the rule will be active
532 for the specified amount of time and will be removed automatically
533 afterwards. timeval is either a number (of seconds) or number
534 followed by one of characters s (seconds), m (minutes), h (hours),
535 for example 20m or 1h.
536
537 For the rich language rule syntax, please have a look at
538 firewalld.richlanguage(5).
539
540 The --timeout option is not combinable with the --permanent option.
541
542 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
543 --remove-rich-rule='rule'
544 Remove rich language rule 'rule'. This option can be specified
545 multiple times.
546
547 For the rich language rule syntax, please have a look at
548 firewalld.richlanguage(5).
549
550 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
551 --query-rich-rule='rule'
552 Return whether a rich language rule 'rule' has been added. Returns
553 0 if true, 1 otherwise.
554
555 For the rich language rule syntax, please have a look at
556 firewalld.richlanguage(5).
557
558 Options to Adapt and Query Zones
559 Options in this section affect only one particular zone. If used with
560 --zone=zone option, they affect the specified zone. If the option is
561 omitted, they affect default zone (see --get-default-zone).
562
563 [--permanent] [--zone=zone] --add-icmp-block-inversion
564 Enable ICMP block inversion.
565
566 [--permanent] [--zone=zone] --remove-icmp-block-inversion
567 Disable ICMP block inversion.
568
569 [--permanent] [--zone=zone] --query-icmp-block-inversion
570 Return whether ICMP block inversion is enabled. Returns 0 if true,
571 1 otherwise.
572
573 [--permanent] [--zone=zone] --add-forward
574 Enable intra zone forwarding.
575
576 [--permanent] [--zone=zone] --remove-forward
577 Disable intra zone forwarding.
578
579 [--permanent] [--zone=zone] --query-forward
580 Return whether intra zone forwarding is enabled. Returns 0 if true,
581 1 otherwise.
582
583 Options to Adapt and Query Policies
584 Options in this section affect only one particular policy. It's
585 required to specify --policy=policy with these options.
586
587 --permanent --policy=policy --get-priority
588 Get the priority.
589
590 --permanent --policy=policy --set-prioritypriority
591 Set the priority. The priority determines the relative ordering of
592 policies. This is an integer value between -32768 and 32767 where
593 -1 is the default value for new policies and 0 is reserved for
594 internal use.
595
596 If a priority is < 0, then the policy's rules will execute before
597 all rules in all zones.
598
599 If a priority is > 0, then the policy's rules will execute after
600 all rules in all zones.
601
602 [--permanent] --policy=policy --list-ingress-zones
603 List ingress zones added as a space separated list.
604
605 [--permanent] --policy=policy --add-ingress-zone=zone
606 Add an ingress zone. This option can be specified multiple times.
607
608 The ingress zone is one of the firewalld provided zones or one of
609 the pseudo-zones: HOST, ANY.
610
611 HOST is used for traffic originating from the host machine, i.e.
612 the host running firewalld.
613
614 ANY is used for traffic originating from any zone. This can be
615 thought of as a wild card for zones. However it does not include
616 traffic originating from the host machine - use HOST for that.
617
618 [--permanent] --policy=policy --remove-ingress-zone=zone
619 Remove an ingress zone. This option can be specified multiple
620 times.
621
622 [--permanent] --policy=policy --query-ingress-zone=zone
623 Return whether zone has been added. Returns 0 if true, 1 otherwise.
624
625 [--permanent] --policy=policy --list-egress-zones
626 List egress zones added as a space separated list.
627
628 [--permanent] --policy=policy --add-egress-zone=zone
629 Add an egress zone. This option can be specified multiple times.
630
631 The egress zone is one of the firewalld provided zones or one of
632 the pseudo-zones: HOST, ANY.
633
634 For clarification on HOST and ANY see option --add-ingress-zone.
635
636 [--permanent] --policy=policy --remove-egress-zone=zone
637 Remove an egress zone. This option can be specified multiple times.
638
639 [--permanent] --policy=policy --query-egress-zone=zone
640 Return whether zone has been added. Returns 0 if true, 1 otherwise.
641
642 Options to Handle Bindings of Interfaces
643 Binding an interface to a zone means that this zone settings are used
644 to restrict traffic via the interface.
645
646 Options in this section affect only one particular zone. If used with
647 --zone=zone option, they affect the zone zone. If the option is
648 omitted, they affect default zone (see --get-default-zone).
649
650 For a list of predefined zones use firewall-cmd --get-zones.
651
652 An interface name is a string up to 16 characters long, that may not
653 contain ' ', '/', '!' and '*'.
654
655 [--permanent] [--zone=zone] --list-interfaces
656 List interfaces that are bound to zone zone as a space separated
657 list. If zone is omitted, default zone will be used.
658
659 [--permanent] [--zone=zone] --add-interface=interface
660 Bind interface interface to zone zone. If zone is omitted, default
661 zone will be used.
662
663 If the interface is under control of NetworkManager, it is at first
664 connected to change the zone for the connection that is using the
665 interface. If this fails, the zone binding is created in firewalld
666 and the limitations below apply. For interfaces that are not under
667 control of NetworkManager, firewalld tries to change the ZONE
668 setting in the ifcfg file, if the file exists.
669
670 As a end user you don't need this in most cases, because
671 NetworkManager (or legacy network service) adds interfaces into
672 zones automatically (according to ZONE= option from ifcfg-interface
673 file) if NM_CONTROLLED=no is not set. You should do it only if
674 there's no /etc/sysconfig/network-scripts/ifcfg-interface file. If
675 there is such file and you add interface to zone with this
676 --add-interface option, make sure the zone is the same in both
677 cases, otherwise the behaviour would be undefined. Please also have
678 a look at the firewalld(1) man page in the Concepts section. For
679 permanent association of interface with a zone, see also 'How to
680 set or change a zone for a connection?' in firewalld.zones(5).
681
682 [--permanent] [--zone=zone] --change-interface=interface
683 If the interface is under control of NetworkManager, it is at first
684 connected to change the zone for the connection that is using the
685 interface. If this fails, the zone binding is created in firewalld
686 and the limitations below apply. For interfaces that are not under
687 control of NetworkManager, firewalld tries to change the ZONE
688 setting in the ifcfg file, if the file exists.
689
690 Change zone the interface interface is bound to to zone zone. It's
691 basically --remove-interface followed by --add-interface. If the
692 interface has not been bound to a zone before, it behaves like
693 --add-interface. If zone is omitted, default zone will be used.
694
695 [--permanent] [--zone=zone] --query-interface=interface
696 Query whether interface interface is bound to zone zone. Returns 0
697 if true, 1 otherwise.
698
699 [--permanent] --remove-interface=interface
700 If the interface is under control of NetworkManager, it is at first
701 connected to change the zone for the connection that is using the
702 interface. If this fails, the zone binding is created in firewalld
703 and the limitations below apply.
704
705 For the addion or change of interfaces that are not under control
706 of NetworkManager: firewalld tries to change the ZONE setting in
707 the ifcfg file, if an ifcfg file exists that is using the
708 interface.
709
710 Only for the removal of interfaces that are not under control of
711 NetworkManager: firewalld is not trying to change the ZONE setting
712 in the ifcfg file. This is needed to make sure that an ifdown of
713 the interface will not result in a reset of the zone setting to the
714 default zone. Only the zone binding is then removed in firewalld
715 then.
716
717 Remove binding of interface interface from zone it was previously
718 added to.
719
720 Options to Handle Bindings of Sources
721 Binding a source to a zone means that this zone settings will be used
722 to restrict traffic from this source.
723
724 A source address or address range is either an IP address or a network
725 IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
726 with the ipset: prefix. For IPv4, the mask can be a network mask or a
727 plain number. For IPv6 the mask is a plain number. The use of host
728 names is not supported.
729
730 Options in this section affect only one particular zone. If used with
731 --zone=zone option, they affect the zone zone. If the option is
732 omitted, they affect default zone (see --get-default-zone).
733
734 For a list of predefined zones use firewall-cmd [--permanent]
735 --get-zones.
736
737 [--permanent] [--zone=zone] --list-sources
738 List sources that are bound to zone zone as a space separated list.
739 If zone is omitted, default zone will be used.
740
741 [--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
742 Bind the source to zone zone. If zone is omitted, default zone will
743 be used.
744
745 [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
746 Change zone the source is bound to to zone zone. It's basically
747 --remove-source followed by --add-source. If the source has not
748 been bound to a zone before, it behaves like --add-source. If zone
749 is omitted, default zone will be used.
750
751 [--permanent] [--zone=zone]
752 --query-source=source[/mask]|MAC|ipset:ipset
753 Query whether the source is bound to the zone zone. Returns 0 if
754 true, 1 otherwise.
755
756 [--permanent] --remove-source=source[/mask]|MAC|ipset:ipset
757 Remove binding of the source from zone it was previously added to.
758
759 IPSet Options
760 --get-ipset-types
761 Print the supported ipset types.
762
763 --permanent --new-ipset=ipset --type=type [--family=inet|inet6]
764 [--option=key[=value]]
765 Add a new permanent and empty ipset with specifying the type and
766 optional the family and options like timeout, hashsize and maxelem.
767 For more information please have a look at ipset(8) man page.
768
769 ipset names must be alphanumeric and may additionally include
770 characters: '_' and '-'.
771
772 --permanent --new-ipset-from-file=filename [--name=ipset]
773 Add a new permanent ipset from a prepared ipset file with an
774 optional name override.
775
776 --permanent --delete-ipset=ipset
777 Delete an existing permanent ipset.
778
779 --permanent --load-ipset-defaults=ipset
780 Load ipset default settings or report NO_DEFAULTS error.
781
782 [--permanent] --info-ipset=ipset
783 Print information about the ipset ipset. The output format is:
784
785 ipset
786 type: type
787 options: option1[=value1] ..
788 entries: entry1 ..
789
790
791
792 [--permanent] --get-ipsets
793 Print predefined ipsets as a space separated list.
794
795 --permanent --ipset=ipset --set-description=description
796 Set new description to ipset
797
798 --permanent --ipset=ipset --get-description
799 Print description for ipset
800
801 --permanent --ipset=ipset --set-short=description
802 Set short description to ipset
803
804 --permanent --ipset=ipset --get-short
805 Print short description for ipset
806
807 [--permanent] --ipset=ipset --add-entry=entry
808 Add a new entry to the ipset.
809
810 Adding an entry to an ipset with option timeout is permitted, but
811 these entries are not tracked by firewalld.
812
813 [--permanent] --ipset=ipset --remove-entry=entry
814 Remove an entry from the ipset.
815
816 [--permanent] --ipset=ipset --query-entry=entry
817 Return whether the entry has been added to an ipset. Returns 0 if
818 true, 1 otherwise.
819
820 Querying an ipset with a timeout will yield an error. Entries are
821 not tracked for ipsets with a timeout.
822
823 [--permanent] --ipset=ipset --get-entries
824 List all entries of the ipset.
825
826 [--permanent] --ipset=ipset --add-entries-from-file=filename
827 Add a new entries to the ipset from the file. For all entries that
828 are listed in the file but already in the ipset, a warning will be
829 printed.
830
831 The file should contain an entry per line. Lines starting with an
832 hash or semicolon are ignored. Also empty lines.
833
834 [--permanent] --ipset=ipset --remove-entries-from-file=filename
835 Remove existing entries from the ipset from the file. For all
836 entries that are listed in the file but not in the ipset, a warning
837 will be printed.
838
839 The file should contain an entry per line. Lines starting with an
840 hash or semicolon are ignored. Also empty lines.
841
842 --permanent --path-ipset=ipset
843 Print path of the ipset configuration file.
844
845 Service Options
846 Options in this section affect only one particular service.
847
848 [--permanent] --info-service=service
849 Print information about the service service. The output format is:
850
851 service
852 ports: port1 ..
853 protocols: protocol1 ..
854 source-ports: source-port1 ..
855 helpers: helper1 ..
856 destination: ipv1:address1 ..
857
858
859
860 The following options are only usable in the permanent configuration.
861
862 --permanent --new-service=service
863 Add a new permanent and empty service.
864
865 Service names must be alphanumeric and may additionally include
866 characters: '_' and '-'.
867
868 --permanent --new-service-from-file=filename [--name=service]
869 Add a new permanent service from a prepared service file with an
870 optional name override.
871
872 --permanent --delete-service=service
873 Delete an existing permanent service.
874
875 --permanent --load-service-defaults=service
876 Load service default settings or report NO_DEFAULTS error.
877
878 --permanent --path-service=service
879 Print path of the service configuration file.
880
881 --permanent --service=service --set-description=description
882 Set new description to service
883
884 --permanent --service=service --get-description
885 Print description for service
886
887 --permanent --service=service --set-short=description
888 Set short description to service
889
890 --permanent --service=service --get-short
891 Print short description for service
892
893 --permanent --service=service --add-port=portid[-portid]/protocol
894 Add a new port to the permanent service.
895
896 --permanent --service=service --remove-port=portid[-portid]/protocol
897 Remove a port from the permanent service.
898
899 --permanent --service=service --query-port=portid[-portid]/protocol
900 Return wether the port has been added to the permanent service.
901
902 --permanent --service=service --get-ports
903 List ports added to the permanent service.
904
905 --permanent --service=service --add-protocol=protocol
906 Add a new protocol to the permanent service.
907
908 --permanent --service=service --remove-protocol=protocol
909 Remove a protocol from the permanent service.
910
911 --permanent --service=service --query-protocol=protocol
912 Return wether the protocol has been added to the permanent service.
913
914 --permanent --service=service --get-protocols
915 List protocols added to the permanent service.
916
917 --permanent --service=service
918 --add-source-port=portid[-portid]/protocol
919 Add a new source port to the permanent service.
920
921 --permanent --service=service
922 --remove-source-port=portid[-portid]/protocol
923 Remove a source port from the permanent service.
924
925 --permanent --service=service
926 --query-source-port=portid[-portid]/protocol
927 Return wether the source port has been added to the permanent
928 service.
929
930 --permanent --service=service --get-source-ports
931 List source ports added to the permanent service.
932
933 --permanent --service=service --add-helper=helper
934 Add a new helper to the permanent service.
935
936 --permanent --service=service --remove-helper=helper
937 Remove a helper from the permanent service.
938
939 --permanent --service=service --query-helper=helper
940 Return wether the helper has been added to the permanent service.
941
942 --permanent --service=service --get-service-helpers
943 List helpers added to the permanent service.
944
945 --permanent --service=service --set-destination=ipv:address[/mask]
946 Set destination for ipv to address[/mask] in the permanent service.
947
948 --permanent --service=service --remove-destination=ipv
949 Remove the destination for ipv from the permanent service.
950
951 --permanent --service=service --query-destination=ipv:address[/mask]
952 Return wether the destination ipv to address[/mask] has been set in
953 the permanent service.
954
955 --permanent --service=service --get-destinations
956 List destinations added to the permanent service.
957
958 --permanent --service=service --add-include=service
959 Add a new include to the permanent service.
960
961 --permanent --service=service --remove-include=service
962 Remove a include from the permanent service.
963
964 --permanent --service=service --query-include=service
965 Return wether the include has been added to the permanent service.
966
967 --permanent --service=service --get-includes
968 List includes added to the permanent service.
969
970 Helper Options
971 Options in this section affect only one particular helper.
972
973 [--permanent] --info-helper=helper
974 Print information about the helper helper. The output format is:
975
976 helper
977 family: family
978 module: module
979 ports: port1 ..
980
981
982
983 The following options are only usable in the permanent configuration.
984
985 --permanent --new-helper=helper --module=nf_conntrack_module
986 [--family=ipv4|ipv6]
987 Add a new permanent helper with module and optionally family
988 defined.
989
990 Helper names must be alphanumeric and may additionally include
991 characters: '-'.
992
993 --permanent --new-helper-from-file=filename [--name=helper]
994 Add a new permanent helper from a prepared helper file with an
995 optional name override.
996
997 --permanent --delete-helper=helper
998 Delete an existing permanent helper.
999
1000 --permanent --load-helper-defaults=helper
1001 Load helper default settings or report NO_DEFAULTS error.
1002
1003 --permanent --path-helper=helper
1004 Print path of the helper configuration file.
1005
1006 [--permanent] --get-helpers
1007 Print predefined helpers as a space separated list.
1008
1009 --permanent --helper=helper --set-description=description
1010 Set new description to helper
1011
1012 --permanent --helper=helper --get-description
1013 Print description for helper
1014
1015 --permanent --helper=helper --set-short=description
1016 Set short description to helper
1017
1018 --permanent --helper=helper --get-short
1019 Print short description for helper
1020
1021 --permanent --helper=helper --add-port=portid[-portid]/protocol
1022 Add a new port to the permanent helper.
1023
1024 --permanent --helper=helper --remove-port=portid[-portid]/protocol
1025 Remove a port from the permanent helper.
1026
1027 --permanent --helper=helper --query-port=portid[-portid]/protocol
1028 Return wether the port has been added to the permanent helper.
1029
1030 --permanent --helper=helper --get-ports
1031 List ports added to the permanent helper.
1032
1033 --permanent --helper=helper --set-module=description
1034 Set module description for helper
1035
1036 --permanent --helper=helper --get-module
1037 Print module description for helper
1038
1039 --permanent --helper=helper --set-family=description
1040 Set family description for helper
1041
1042 --permanent --helper=helper --get-family
1043 Print family description of helper
1044
1045 Internet Control Message Protocol (ICMP) type Options
1046 Options in this section affect only one particular icmptype.
1047
1048 [--permanent] --info-icmptype=icmptype
1049 Print information about the icmptype icmptype. The output format
1050 is:
1051
1052 icmptype
1053 destination: ipv1 ..
1054
1055
1056
1057 The following options are only usable in the permanent configuration.
1058
1059 --permanent --new-icmptype=icmptype
1060 Add a new permanent and empty icmptype.
1061
1062 ICMP type names must be alphanumeric and may additionally include
1063 characters: '_' and '-'.
1064
1065 --permanent --new-icmptype-from-file=filename [--name=icmptype]
1066 Add a new permanent icmptype from a prepared icmptype file with an
1067 optional name override.
1068
1069 --permanent --delete-icmptype=icmptype
1070 Delete an existing permanent icmptype.
1071
1072 --permanent --load-icmptype-defaults=icmptype
1073 Load icmptype default settings or report NO_DEFAULTS error.
1074
1075 --permanent --icmptype=icmptype --set-description=description
1076 Set new description to icmptype
1077
1078 --permanent --icmptype=icmptype --get-description
1079 Print description for icmptype
1080
1081 --permanent --icmptype=icmptype --set-short=description
1082 Set short description to icmptype
1083
1084 --permanent --icmptype=icmptype --get-short
1085 Print short description for icmptype
1086
1087 --permanent --icmptype=icmptype --add-destination=ipv
1088 Enable destination for ipv in permanent icmptype. ipv is one of
1089 ipv4 or ipv6.
1090
1091 --permanent --icmptype=icmptype --remove-destination=ipv
1092 Disable destination for ipv in permanent icmptype. ipv is one of
1093 ipv4 or ipv6.
1094
1095 --permanent --icmptype=icmptype --query-destination=ipv
1096 Return whether destination for ipv is enabled in permanent
1097 icmptype. ipv is one of ipv4 or ipv6.
1098
1099 --permanent --icmptype=icmptype --get-destinations
1100 List destinations in permanent icmptype.
1101
1102 --permanent --path-icmptype=icmptype
1103 Print path of the icmptype configuration file.
1104
1105 Direct Options
1106 The direct options give a more direct access to the firewall. These
1107 options require user to know basic iptables concepts, i.e. table
1108 (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
1109 (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
1110 (ACCEPT/DROP/REJECT/...).
1111
1112 Direct options should be used only as a last resort when it's not
1113 possible to use for example --add-service=service or
1114 --add-rich-rule='rule'.
1115
1116 Warning: Direct rules behavior is different depending on the value of
1117 FirewallBackend. See CAVEATS in firewalld.direct(5).
1118
1119 The first argument of each option has to be ipv4 or ipv6 or eb. With
1120 ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
1121 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
1122
1123 [--permanent] --direct --get-all-chains
1124 Get all chains added to all tables. This option concerns only
1125 chains previously added with --direct --add-chain.
1126
1127 [--permanent] --direct --get-chains { ipv4 | ipv6 | eb } table
1128 Get all chains added to table table as a space separated list. This
1129 option concerns only chains previously added with --direct
1130 --add-chain.
1131
1132 [--permanent] --direct --add-chain { ipv4 | ipv6 | eb } table chain
1133 Add a new chain with name chain to table table. Make sure there's
1134 no other chain with this name already.
1135
1136 There already exist basic chains to use with direct options, for
1137 example INPUT_direct chain (see iptables-save | grep direct output
1138 for all of them). These chains are jumped into before chains for
1139 zones, i.e. every rule put into INPUT_direct will be checked before
1140 rules in zones.
1141
1142 [--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } table chain
1143 Remove chain with name chain from table table. Only chains
1144 previously added with --direct --add-chain can be removed this way.
1145
1146 [--permanent] --direct --query-chain { ipv4 | ipv6 | eb } table chain
1147 Return whether a chain with name chain exists in table table.
1148 Returns 0 if true, 1 otherwise. This option concerns only chains
1149 previously added with --direct --add-chain.
1150
1151 [--permanent] --direct --get-all-rules
1152 Get all rules added to all chains in all tables as a newline
1153 separated list of the priority and arguments. This option concerns
1154 only rules previously added with --direct --add-rule.
1155
1156 [--permanent] --direct --get-rules { ipv4 | ipv6 | eb } table chain
1157 Get all rules added to chain chain in table table as a newline
1158 separated list of the priority and arguments. This option concerns
1159 only rules previously added with --direct --add-rule.
1160
1161 [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain
1162 priority args
1163 Add a rule with the arguments args to chain chain in table table
1164 with priority priority.
1165
1166 The priority is used to order rules. Priority 0 means add rule on
1167 top of the chain, with a higher priority the rule will be added
1168 further down. Rules with the same priority are on the same level
1169 and the order of these rules is not fixed and may change. If you
1170 want to make sure that a rule will be added after another one, use
1171 a low priority for the first and a higher for the following.
1172
1173 [--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } table chain
1174 priority args
1175 Remove a rule with priority and the arguments args from chain chain
1176 in table table. Only rules previously added with --direct
1177 --add-rule can be removed this way.
1178
1179 [--permanent] --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1180 Remove all rules in the chain with name chain exists in table
1181 table. This option concerns only rules previously added with
1182 --direct --add-rule in this chain.
1183
1184 [--permanent] --direct --query-rule { ipv4 | ipv6 | eb } table chain
1185 priority args
1186 Return whether a rule with priority and the arguments args exists
1187 in chain chain in table table. Returns 0 if true, 1 otherwise. This
1188 option concerns only rules previously added with --direct
1189 --add-rule.
1190
1191 --direct --passthrough { ipv4 | ipv6 | eb } args
1192 Pass a command through to the firewall. args can be all iptables,
1193 ip6tables and ebtables command line arguments. This command is
1194 untracked, which means that firewalld is not able to provide
1195 information about this command later on, also not a listing of the
1196 untracked passthoughs.
1197
1198 [--permanent] --direct --get-all-passthroughs
1199 Get all passthrough rules as a newline separated list of the ipv
1200 value and arguments.
1201
1202 [--permanent] --direct --get-passthroughs { ipv4 | ipv6 | eb }
1203 Get all passthrough rules for the ipv value as a newline separated
1204 list of the priority and arguments.
1205
1206 [--permanent] --direct --add-passthrough { ipv4 | ipv6 | eb } args
1207 Add a passthrough rule with the arguments args for the ipv value.
1208
1209 [--permanent] --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1210 Remove a passthrough rule with the arguments args for the ipv
1211 value.
1212
1213 [--permanent] --direct --query-passthrough { ipv4 | ipv6 | eb } args
1214 Return whether a passthrough rule with the arguments args exists
1215 for the ipv value. Returns 0 if true, 1 otherwise.
1216
1217 Lockdown Options
1218 Local applications or services are able to change the firewall
1219 configuration if they are running as root (example: libvirt) or are
1220 authenticated using PolicyKit. With this feature administrators can
1221 lock the firewall configuration so that only applications on lockdown
1222 whitelist are able to request firewall changes.
1223
1224 The lockdown access check limits D-Bus methods that are changing
1225 firewall rules. Query, list and get methods are not limited.
1226
1227 The lockdown feature is a very light version of user and application
1228 policies for firewalld and is turned off by default.
1229
1230 --lockdown-on
1231 Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1232 whitelist when you enable lockdown you won't be able to disable it
1233 again with firewall-cmd, you would need to edit firewalld.conf.
1234
1235 This is a runtime and permanent change.
1236
1237 --lockdown-off
1238 Disable lockdown.
1239
1240 This is a runtime and permanent change.
1241
1242 --query-lockdown
1243 Query whether lockdown is enabled. Returns 0 if lockdown is
1244 enabled, 1 otherwise.
1245
1246 Lockdown Whitelist Options
1247 The lockdown whitelist can contain commands, contexts, users and user
1248 ids.
1249
1250 If a command entry on the whitelist ends with an asterisk '*', then all
1251 command lines starting with the command will match. If the '*' is not
1252 there the absolute command inclusive arguments must match.
1253
1254 Command paths for users are not always the same and depends on the
1255 users PATH. Some distributions symlink /bin to /usr/bin in which case
1256 it depends on the order they appear in the PATH environment variable.
1257
1258 The context is the security (SELinux) context of a running application
1259 or service. To get the context of a running application use ps -e
1260 --context.
1261
1262 Warning: If the context is unconfined, then this will open access for
1263 more than the desired application.
1264
1265 The lockdown whitelist entries are checked in the following order:
1266 1. context
1267 2. uid
1268 3. user
1269 4. command
1270
1271 [--permanent] --list-lockdown-whitelist-commands
1272 List all command lines that are on the whitelist.
1273
1274 [--permanent] --add-lockdown-whitelist-command=command
1275 Add the command to the whitelist.
1276
1277 [--permanent] --remove-lockdown-whitelist-command=command
1278 Remove the command from the whitelist.
1279
1280 [--permanent] --query-lockdown-whitelist-command=command
1281 Query whether the command is on the whitelist. Returns 0 if true, 1
1282 otherwise.
1283
1284 [--permanent] --list-lockdown-whitelist-contexts
1285 List all contexts that are on the whitelist.
1286
1287 [--permanent] --add-lockdown-whitelist-context=context
1288 Add the context context to the whitelist.
1289
1290 [--permanent] --remove-lockdown-whitelist-context=context
1291 Remove the context from the whitelist.
1292
1293 [--permanent] --query-lockdown-whitelist-context=context
1294 Query whether the context is on the whitelist. Returns 0 if true, 1
1295 otherwise.
1296
1297 [--permanent] --list-lockdown-whitelist-uids
1298 List all user ids that are on the whitelist.
1299
1300 [--permanent] --add-lockdown-whitelist-uid=uid
1301 Add the user id uid to the whitelist.
1302
1303 [--permanent] --remove-lockdown-whitelist-uid=uid
1304 Remove the user id uid from the whitelist.
1305
1306 [--permanent] --query-lockdown-whitelist-uid=uid
1307 Query whether the user id uid is on the whitelist. Returns 0 if
1308 true, 1 otherwise.
1309
1310 [--permanent] --list-lockdown-whitelist-users
1311 List all user names that are on the whitelist.
1312
1313 [--permanent] --add-lockdown-whitelist-user=user
1314 Add the user name user to the whitelist.
1315
1316 [--permanent] --remove-lockdown-whitelist-user=user
1317 Remove the user name user from the whitelist.
1318
1319 [--permanent] --query-lockdown-whitelist-user=user
1320 Query whether the user name user is on the whitelist. Returns 0 if
1321 true, 1 otherwise.
1322
1323 Panic Options
1324 --panic-on
1325 Enable panic mode. All incoming and outgoing packets are dropped,
1326 active connections will expire. Enable this only if there are
1327 serious problems with your network environment. For example if the
1328 machine is getting hacked in.
1329
1330 This is a runtime only change.
1331
1332 --panic-off
1333 Disable panic mode. After disabling panic mode established
1334 connections might work again, if panic mode was enabled for a short
1335 period of time.
1336
1337 This is a runtime only change.
1338
1339 --query-panic
1340 Returns 0 if panic mode is enabled, 1 otherwise.
1341
1343 For more examples see http://fedoraproject.org/wiki/FirewallD
1344
1345 Example 1
1346 Enable http service in default zone. This is runtime only change, i.e.
1347 effective until restart.
1348
1349 firewall-cmd --add-service=http
1350
1351
1352
1353 Example 2
1354 Enable port 443/tcp immediately and permanently in default zone. To
1355 make the change effective immediately and also after restart we need
1356 two commands. The first command makes the change in runtime
1357 configuration, i.e. makes it effective immediately, until restart. The
1358 second command makes the change in permanent configuration, i.e. makes
1359 it effective after restart.
1360
1361 firewall-cmd --add-port=443/tcp
1362 firewall-cmd --permanent --add-port=443/tcp
1363
1364
1365
1367 On success 0 is returned. On failure the output is red colored and exit
1368 code is either 2 in case of wrong command-line option usage or one of
1369 the following error codes in other cases:
1370
1371 ┌────────────────────┬──────┐
1372 │String │ Code │
1373 ├────────────────────┼──────┤
1374 │ALREADY_ENABLED │ 11 │
1375 ├────────────────────┼──────┤
1376 │NOT_ENABLED │ 12 │
1377 ├────────────────────┼──────┤
1378 │COMMAND_FAILED │ 13 │
1379 ├────────────────────┼──────┤
1380 │NO_IPV6_NAT │ 14 │
1381 ├────────────────────┼──────┤
1382 │PANIC_MODE │ 15 │
1383 ├────────────────────┼──────┤
1384 │ZONE_ALREADY_SET │ 16 │
1385 ├────────────────────┼──────┤
1386 │UNKNOWN_INTERFACE │ 17 │
1387 ├────────────────────┼──────┤
1388 │ZONE_CONFLICT │ 18 │
1389 ├────────────────────┼──────┤
1390 │BUILTIN_CHAIN │ 19 │
1391 ├────────────────────┼──────┤
1392 │EBTABLES_NO_REJECT │ 20 │
1393 ├────────────────────┼──────┤
1394 │NOT_OVERLOADABLE │ 21 │
1395 ├────────────────────┼──────┤
1396 │NO_DEFAULTS │ 22 │
1397 ├────────────────────┼──────┤
1398 │BUILTIN_ZONE │ 23 │
1399 ├────────────────────┼──────┤
1400 │BUILTIN_SERVICE │ 24 │
1401 ├────────────────────┼──────┤
1402 │BUILTIN_ICMPTYPE │ 25 │
1403 ├────────────────────┼──────┤
1404 │NAME_CONFLICT │ 26 │
1405 ├────────────────────┼──────┤
1406 │NAME_MISMATCH │ 27 │
1407 ├────────────────────┼──────┤
1408 │PARSE_ERROR │ 28 │
1409 ├────────────────────┼──────┤
1410 │ACCESS_DENIED │ 29 │
1411 ├────────────────────┼──────┤
1412 │UNKNOWN_SOURCE │ 30 │
1413 ├────────────────────┼──────┤
1414 │RT_TO_PERM_FAILED │ 31 │
1415 ├────────────────────┼──────┤
1416 │IPSET_WITH_TIMEOUT │ 32 │
1417 ├────────────────────┼──────┤
1418 │BUILTIN_IPSET │ 33 │
1419 ├────────────────────┼──────┤
1420 │ALREADY_SET │ 34 │
1421 ├────────────────────┼──────┤
1422 │MISSING_IMPORT │ 35 │
1423 ├────────────────────┼──────┤
1424 │DBUS_ERROR │ 36 │
1425 ├────────────────────┼──────┤
1426 │BUILTIN_HELPER │ 37 │
1427 ├────────────────────┼──────┤
1428 │NOT_APPLIED │ 38 │
1429 ├────────────────────┼──────┤
1430 │INVALID_ACTION │ 100 │
1431 ├────────────────────┼──────┤
1432 │INVALID_SERVICE │ 101 │
1433 ├────────────────────┼──────┤
1434 │INVALID_PORT │ 102 │
1435 ├────────────────────┼──────┤
1436 │INVALID_PROTOCOL │ 103 │
1437 ├────────────────────┼──────┤
1438 │INVALID_INTERFACE │ 104 │
1439 ├────────────────────┼──────┤
1440 │INVALID_ADDR │ 105 │
1441 ├────────────────────┼──────┤
1442 │INVALID_FORWARD │ 106 │
1443 ├────────────────────┼──────┤
1444 │INVALID_ICMPTYPE │ 107 │
1445 ├────────────────────┼──────┤
1446 │INVALID_TABLE │ 108 │
1447 ├────────────────────┼──────┤
1448 │INVALID_CHAIN │ 109 │
1449 ├────────────────────┼──────┤
1450 │INVALID_TARGET │ 110 │
1451 ├────────────────────┼──────┤
1452 │INVALID_IPV │ 111 │
1453 ├────────────────────┼──────┤
1454 │INVALID_ZONE │ 112 │
1455 ├────────────────────┼──────┤
1456 │INVALID_PROPERTY │ 113 │
1457 ├────────────────────┼──────┤
1458 │INVALID_VALUE │ 114 │
1459 ├────────────────────┼──────┤
1460 │INVALID_OBJECT │ 115 │
1461 ├────────────────────┼──────┤
1462 │INVALID_NAME │ 116 │
1463 ├────────────────────┼──────┤
1464 │INVALID_FILENAME │ 117 │
1465 ├────────────────────┼──────┤
1466 │INVALID_DIRECTORY │ 118 │
1467 ├────────────────────┼──────┤
1468 │INVALID_TYPE │ 119 │
1469 ├────────────────────┼──────┤
1470 │INVALID_SETTING │ 120 │
1471 ├────────────────────┼──────┤
1472 │INVALID_DESTINATION │ 121 │
1473 ├────────────────────┼──────┤
1474 │INVALID_RULE │ 122 │
1475 ├────────────────────┼──────┤
1476 │INVALID_LIMIT │ 123 │
1477 ├────────────────────┼──────┤
1478 │INVALID_FAMILY │ 124 │
1479 ├────────────────────┼──────┤
1480 │INVALID_LOG_LEVEL │ 125 │
1481 ├────────────────────┼──────┤
1482 │INVALID_AUDIT_TYPE │ 126 │
1483 ├────────────────────┼──────┤
1484 │INVALID_MARK │ 127 │
1485 ├────────────────────┼──────┤
1486 │INVALID_CONTEXT │ 128 │
1487 ├────────────────────┼──────┤
1488 │INVALID_COMMAND │ 129 │
1489 ├────────────────────┼──────┤
1490 │INVALID_USER │ 130 │
1491 ├────────────────────┼──────┤
1492 │INVALID_UID │ 131 │
1493 ├────────────────────┼──────┤
1494 │INVALID_MODULE │ 132 │
1495 ├────────────────────┼──────┤
1496 │INVALID_PASSTHROUGH │ 133 │
1497 ├────────────────────┼──────┤
1498 │INVALID_MAC │ 134 │
1499 ├────────────────────┼──────┤
1500 │INVALID_IPSET │ 135 │
1501 ├────────────────────┼──────┤
1502 │INVALID_ENTRY │ 136 │
1503 ├────────────────────┼──────┤
1504 │INVALID_OPTION │ 137 │
1505 ├────────────────────┼──────┤
1506 │INVALID_HELPER │ 138 │
1507 ├────────────────────┼──────┤
1508 │INVALID_PRIORITY │ 139 │
1509 ├────────────────────┼──────┤
1510 │INVALID_POLICY │ 140 │
1511 ├────────────────────┼──────┤
1512 │MISSING_TABLE │ 200 │
1513 ├────────────────────┼──────┤
1514 │MISSING_CHAIN │ 201 │
1515 ├────────────────────┼──────┤
1516 │MISSING_PORT │ 202 │
1517 ├────────────────────┼──────┤
1518 │MISSING_PROTOCOL │ 203 │
1519 ├────────────────────┼──────┤
1520 │MISSING_ADDR │ 204 │
1521 ├────────────────────┼──────┤
1522 │MISSING_NAME │ 205 │
1523 ├────────────────────┼──────┤
1524 │MISSING_SETTING │ 206 │
1525 ├────────────────────┼──────┤
1526 │MISSING_FAMILY │ 207 │
1527 ├────────────────────┼──────┤
1528 │RUNNING_BUT_FAILED │ 251 │
1529 ├────────────────────┼──────┤
1530 │NOT_RUNNING │ 252 │
1531 ├────────────────────┼──────┤
1532 │NOT_AUTHORIZED │ 253 │
1533 ├────────────────────┼──────┤
1534 │UNKNOWN_ERROR │ 254 │
1535 └────────────────────┴──────┘
1536
1537 Note that return codes of --query-* options are special: Successful
1538 queries return 0, unsuccessful ones return 1 unless an error occurred
1539 in which case the table above applies.
1540
1542 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1543 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1544 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1545 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1546 firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
1547 firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
1548
1550 firewalld home page:
1551 http://firewalld.org
1552
1553 More documentation with examples:
1554 http://fedoraproject.org/wiki/FirewallD
1555
1557 Thomas Woerner <twoerner@redhat.com>
1558 Developer
1559
1560 Jiri Popelka <jpopelka@redhat.com>
1561 Developer
1562
1563 Eric Garver <eric@garver.life>
1564 Developer
1565
1566
1567
1568firewalld 0.9.3 FIREWALL-CMD(1)